我在linux(Ubuntu 12.0.4)中运行以下C脚本作为set root UID脚本(chmod 4755)
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
void main()
{ int fd;
/* Assume that /etc/zzz is an important system file,
* and it is owned by root with permission 0644.
* Before running this program, you should create
* the file /etc/zzz first. */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
if (fd == -1) {
printf("Cannot open /etc/zzz\n");
exit(0);
}
/* Simulate the tasks conducted by the program */
sleep(1);
/* After the task, the root privileges are no longer needed, it’s time to relinquish the root privileges
permanently. */
setgroups(0, NULL);
setregid(getgid());
setreuid(getuid()); /* getuid() returns the real uid */
if(setregid(getgid()) == 0){
printf("Still root GID!\n");
exit(0);
} if(setreuid(getuid()) ==0){
printf("Still root UID\n");
exit(0);
if (fork()) { /* In the parent process */
close (fd);
exit(0);
} else { /* in the child process */
/* Now, assume that the child process is compromised,
malicious attackers have injected the following
statements into this process */
write (fd, "Malicious Data\n", 15);
close (fd);
}
}
据我所知,它应该将权限设置回真实用户(ID 1000),但我得到的是#34;仍然是root&#34;错误。
我尝试插入setuid(1000)和setuid(0)只是关于setgroups来删除任何已保存的UID问题,但这只是允许它绕过if语句,但仍允许&#34;恶意数据& #34;写作。
我还尝试在删除权限之前关闭文件close(fd),因为我不确定您是否无法编辑权限,而以root身份打开的文件仍处于打开状态。但我仍然有同样的问题
我在这里做错了什么想法?为什么它不工作?
答案 0 :(得分:3)
我假设您使用getuid运行程序。在这种情况下,"Malicious Data\n"将返回0。
您必须明确调用将uid设置为所需的(例如1000)uid。
另外,fd将被写入,因为当进程具有提升的权限时func numberOfSections(in tableView: UITableView) -> Int {
return 2
}
func tableView(_ tableView: UITableView, numberOfRowsInSection section: Int) -> Int {
var returnValue = 0
switch (mySegmentedControl.selectedSegmentIndex) {
case 0:
returnValue = accounts.count
case 1:
returnValue = user.count
case 2:
returnValue = mutual.count
default:
break
}
if section == 0 {
return returnValue
} else {
return returnValue == 0 ? 1 : 0
}
}
func tableView(_ tableView: UITableView, cellForRowAt indexPath: IndexPath) -> UITableViewCell {
if indexPath.section == 0 {
let cell = tableView.dequeueReusableCell(withIdentifier: "ConnectCell", for: indexPath) as! ConnectTableViewCell
switch(mySegmentedControl.selectedSegmentIndex) {
case 0:
let user = self.accounts[indexPath.row]
cell.user = user
cell.selectionStyle = UITableViewCellSelectionStyle.none
cell.delegate = self
case 1:
let user = self.user[indexPath.row]
cell.user = user
cell.selectionStyle = UITableViewCellSelectionStyle.none
cell.delegate = self
case 2:
let user = self.mutual[indexPath.row]
cell.user = user
cell.selectionStyle = UITableViewCellSelectionStyle.none
cell.delegate = self
default:
break
}
return cell
} else {
let cell = tableView.dequeueReusableCell(withIdentifier: "noUsersCell") as! NoUsersTableViewCell
switch(mySegmentedControl.selectedSegmentIndex) {
case 0:
cell.textLabel.text = "No accounts"
case 1:
cell.textLabel.text = "No users"
case 2:
cell.textLabel.text = "No mutual"
default:
break
}
return cell
}
}
已经打开,即使您的进程失去了权限,您仍然可以在那里写入。该过程现在无法再次打开文件。
一切都符合规范:如果你想禁止进程写入文件,请确保在删除权限之前将其关闭。